Re: [PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewall

[Steve Hall <yjc62 () DIAL PIPEX COM>]

The following is a guess so treat it as such ;-)

SunScreens have a state table, which at default is quiet small. This fills
quickly for sessions that are incomplete or have bombed.

Search on SunSolve for this and  you'll find two postings, numbers I cant
remember atm, and these allow you to :

1. Increase the frequency that the table is cleared, i think it is 24 hours
at default

2. Increase the size of the table, which again is 10000 at default from
memory.

Hope this helps.



-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Vernon Vernon
Sent: 23 January 2001 08:11
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] Any countermeasure for SYN-Flood to SunScreen
Firewall


Hi All,

Currently my team has performed a SYN-Flood attack at one site as part of
the penetration test that running SunScreen EFS on SunOS 5.6. We perform the
attack using TFN2K and managed to halt the server by using only one attack
machine. (The throughtput is around 300-500k)

Originally, the SunOS kernel parameters tcp_ip_abort_cinterval &
tcp_conn_req_max_q0 should be able to address this issue. We have tested the
following values:

tcp_ip_abort_cinterval = 60,000
tcp_conn_req_max_q0 = 2048/4096/even 300,000

However, it doesn't seem to be effective. We can still DoS the firewall by
one machine. We have discussed with the vendor and the vendor cannot explain
why these not work. They explained that they only know this countermeasure
(at OS level) to defense SYN-Flood for Sun Machine.

Apart from using NIDS or configuring router to provide SYN-Flood
countermeasures (which is quite costly), Is there something wrong for the
above settings or any other things that can be done at OS level to address
this problem?

Thanks a lot,

Vernon

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.